It's cool that stuff like vector file formats is still being reinvented. What's the new idea(s) here, though?
Like, I get that it's new and has better features (better compression, faster decoding, etc.) --- but what are the new ideas or insights that led to this design?
The rest were less good for me personally. Either over-dramatic and shallow (with a sexy-sounding topic) or too procedural in topics I'm not an expert in.
Somehow it did not get much attention, but Signal president Meredith Whittaker (together with
Udbhav Tiwari) spoke about the risks and threats from AI-enabled systems.
Foundation workshop: Hands-on, how does the Internet work?
by Ingo Blechschmidt, is congress at its best. Getting a diverse set of people with various backgrounds and knowledge levels to
ARP spoof in a little over an hour is art.
Meredith's talk was extremely scripted, not very original and then she ducked out of taking any audience questions. Udbhav awkwardly stood there but seemed like he could have had much more to say. It was hard to watch.
Mona Wang's talk early on Day 2 wasn't recorded but was the polar opposite -- Original, off-the-cuff, engaging, and just fun to witness.
The Asahi talk was good, but the video switched waaaayyyyy too often between slide only -> slide + speaker -> stage -> only speaker. Made me kinda uncomfortable.
"Liberation of the Freebox", A slightly crazy Frenchman embarks on a quest to find exploit and write a complex exploit chain, using PrDoom and the Linux HFS+ driver to gain root privileges on his set-top box. All this in order to unlock the recording of somewhat rubbish TV channels such as TF1 and M6.
And he waited almost ten years and the retirement of the hardware to reveal it because he didn't want it to be patched.
If you are into hardware emulation "From silicon to Darude sand-storm" is fun.
Absolutely Cory Doctorow's, for the showmanship alone. Lovely background slides. The message itself might not resonate with everyone.
The talk "Look Up" about unencrypted data over DVB satellite links was also though provoking, both in presentation and in technical content. If there's that much data unencrypted over a mainstream IP link, imagine how much is still on legacy protocols in 2025.
I am not so much into videos but due to some extended interest in the matter I decided to watch the recording of that talk and I do not regret it. Much recommended to everyone who is interested in the state of the art of precision time synchronization over network. Also, in my opinion this talk is presented masterfully with most of the time actually spent on a convincing live demo.
Just for sheer geekery's sake probably the ISDN talk.
For OMG eye opening factor the FreeBSD jails talk (how the hell is this thing still so buggy?) and the talk on unencrypted satellite links
For excellent follow-along value and dedication to ridiculously pointless cause the Freebox talk. "Technically I don't own this box so instead of risking damaging it I'm going to take the extremely long and entertaining route around, somehow involving Doom WAD files"
Linus has said a lot of stuff over the years and not all of it was on the money. Still, he did a lot of good and I'm very grateful for it, Linux has been my daily driver for almost two decades now (basically from when I stopped using SGI because there was no point any more).
But bugs in large codebases will always be a thing, and even though the eyes looking at FreeBSD are very, very good eyes, indeed there are not enough of them. The more interesting thing here is that they picked a really hard target. If they had done the same with Linux I would expect the number of bugs to be quite a bit higher.
The biggest problem with ccc is that:
0. They are releasing too few tickets.
1. They are releasing the tickets too late.
3. Still not able to pay with card?
I live somewhat nearby, but can’t book or plan a visit because of this. I appreciate that they are releasing videos shortly afterwards though.
Ad too few tickets: I happen to live close by the venue (CCH in Hamburg) they fill up. And they do fill it up. That is the limiting factor.
Some person that wanted to get a ticket not getting one is bad, but what is worse is to have more visitors than you or the venue can safely handle. This and of course you still want it to work for the type of event you're doing, with multiple stages, parallel talks, ideally minimum walking distances, not a lot of extra tech to rent in terms of projection, sound etc.
To my knowledge the 3C congresses have been a story of growth and having to move to the next-bigger venue throughout the years.
You can pay with a card, but there is an additional 5 Euros fee (which is fair enough).
I booked a refundable hotel already in the summer, in case I won't get the tickets. But getting the ticket this year was relatively easy (though maybe I just got lucky).
There wasn't even enough assembly space this year, it was bursting at the seams. Sadly I think CCH is just too small for this conference. There's a much bigger conference space space down the street, but the rumor is that going back to Leipzig (where it was held during the renovation of CCH) is back in discussion. That place was too big though.
At the time when this took place in Berlin, in the Berlin Congress Center, which was rather small, there were only a few hundred seats available, and most of them had already been allocated before they even went on sale.
It was also a great excuse to spend New Year's Eve in Berlin.
The Deutschlandticket talk was pretty cool. As Malcolm Tucker would say, "what a catastrofuck".
Miele washing machine hacking, very nice, I was going to say I'd be waiting to see someone integrate it into HA... and then looked up the Github repo and there's HA integration already there.
Thank you, and happy to answer questions on that, it's been a crazy time!
Maybe of relevance to non-security people here:
1. Most of it is about AI investigating event data in general, not just SOC/IR: cyber, intel, fraud, SRE, and we're even messing with customer 360 & social media data
2. For anyone into vibes coding or building agents, I encourage jumping to the "self-writing AI" section where we're finding we are moving internally from vibes coding -> vibes engineering -> and finally now to eval-driven AI coding loops
And, for anyone in security, doing careful evals here has indeed strongly colored my view on the market :)
Hey, I just saw your talk and for someone who's not really up to date with the latest AI developments it's eye opening what you got going in SoC investigations.
I personally work as pentester and we're still doing a lot of manual work with AI simply as a better version of Google, but seeing the BOTS presentation I feel we can do better. Do you have any idea if anyone's working on something similar to Louie in pentesting space, or if Louie could work with pentesting workflows?
Companies like xbow and horizon are using agents that talk to symbolic tools to automate more red teaming flows for different domains, so very much so. As shown in my talk, modern models are quite capable, and they aren't doing investigation-level scenario depth, more like scans, so seems like becoming the new expectation that everyone can & will do.
Companies like trail of bits are more interesting to me here, because they historically do deeper analysis. A place to look there is the darpa cc x ai (?) competition that finished at blackhat last year.
If in the US, we may be looking for a pen testing partner on an upcoming agentic AI contract, so feel free to msg - Leo @ graphistry
I recently made a radical proposal of public domain rules; It's inspired by GNU software licenses. It goes like this:
1. Anyone can use anything that is in the public domain.
2. Any creation that uses elements from the public domain is also, automatically, in the public domain.
3. Activate retroactively: When the first book in a series (for example) gets into the public domain, then the whole series (and franchise) becomes public domain.
(3) depends on what the initial rule is for something to get into the public domain.
P.S: It's a thought experiment, not an actual "let's implement it now!" thing.
That would make any movies based on stories in public domain impossible, because it would destroy all financial incentives to make them. No, derivative works should be on their own terms.
1. People still do software based on the GNU license. What's the difference?
2. I'm a mathematician - math is not copyrighted, yet it's still being done.
3. Is it really so important for society that copyrighted movies be based on old stories? Won't society benefit from new stories and characters?
To be clear, I don't propose to really implement it. But the existing system also sucks. I'm thinking that maybe incorporating such an idea into the existing system - limiting what you can do with public domain work - can be beneficial.
>People still do software based on the GNU license. What's the difference?
The right question to ask is what do they have in common, and the answer is nothing but an artificial legal construct of IP. To write public domain software you need a computer and 2 sqm of space (or even less) that you occupy while working. Material resources needed to shoot one movie are one big reason you need financial model.
2. math is irrelevant here, has nothing in common with movies or music
You're comparing apples and really big complicated apples. Books are protected by copyright and they only need a computer and 2 sqm of space, right? People make copyright protected videos with 2 sqm of space and a phone that get as many views as many large budget movies.
I think the differences between inventing a story or song and inventing a theory are not as great as you pretend.
The big difference really is status quo and tradition.
>I think the differences between inventing a story or song and inventing a theory are not as great as you pretend.
I do not pretend anything and I‘m not talking about inventing a story. I‘m talking about movie production, which, even with heavy use of AI is by orders of magnitude more expensive than a piece of free software, and certainly cannot be done with a single computer.
Why are you choosing to compare inventing math to producing a movie? How does that help you advance your argument that it is reasonable for one to be under copyright and not the other?
Movies absolutely can be created with one computer. There was a movie shot entirely on an iphone. They can be edited on an iphone too. Heck, movies can be created without a single computer. That was the only way to make movies for many decades.
If something is important culturally and historically, financial incentives aren't really important (assuming you're not making a joke about Hollywood being creatively bankrupt).
Whenever it concerns expensive production, and historical pieces are inevitably not „Blair witch“ cheap, financial model is very important. Given that this suggestion implies that copyright still exists, the film makers will have to choose either to raise money from state or donations to make something from public domain works or to explore material that is still copyrighted and count on box office and streaming revenues. The boundary between those choices is set to a random expiration number, the incentives are obviously skewed towards better pay, so chances are high that whatever enters public domain will be quickly forgotten by the public.
It is an interesting thought experiment, but would pretty much make standalone copy able creative work like photography, books, music, or movies impossible to sell. Works could be created on commission, but there would be a strong disincentive for producing any work without commission.
1. People who make money from GPL software typically make their money from support contracts or from running a service. Unlike software, photography, books, music and movies don’t require any ongoing maintenance once created to keep them running or up to date. There is some value in the distribution of physical copies, but digital distribution would have almost no value.
2. Math is pretty much in this boat already. Most math work is either directly paid for by a company that consumes it, or is academic work with incredibly high barriers to entry and constant hustling for grant funding. I wouldn’t wish that on any field, would you?
3. Take for example Harry Potter or Lord of the Rings. While the characters are new, they draw upon a rich mythology from the public domain (eg dragons, goblins, wizards, witches, etc).
It is an interesting discussion, but I expect removing the freedom to use public domain works outside of the public domain would was to very bad outcomes.
> 1. People still do software based on the GNU license. What's the difference?
The GPL family of licences are significantly different from Public Domain. There is still the option of relicensing for commercial use, for example, which is moot under a public domain status. Though some¹ treat the GPL as PD anyway…
MIT might be a more valid comparator, so to answer the question from that PoV: Money. Many OSS contributors do it to scratch their own itch, or for some definition of “community”, the cost of contribution is generally low (or feels like free) and they don't need anything back. Some are supported by donations or sponsorship but not the majority. Those in commercial environments are supporting projects (by contributions or sponsorship) that are useful to that commercial interest, so there is a benefit there but no need for direct payment (they may get payment for support and/or consulting services or via subscriptions for a paid-for hosted instance of whatever). Someone making a film of a book, or a licensed sequel/prequel/other, unless they are doing it for love or just shits & giggles like some fan-made efforts, generally needs/wants to make profit from it, especially in the case of film/TV which can have a large up-front cost - that is unlikely to happen if the new derived work is automatically public domain.
> 2. […] math is not copyrighted, yet it's still being done.
Not for Hollywood level money, it usually isn't :)
> 3. […] Won't society benefit from new stories and characters?
Yes, it certainly would IMO. But it turns out there is less easy money in that. People flock en-mass to works based on familiar IP more than they do to original works, for better or (often) worse. To paraphrase MiB: A person is classy and appreciates original good art, people are a bunch of dumb consumers of fast food for the mind.
Original works do sometimes smash through that barrier of course, they then often become the new IP that a bunch of derived works are based on so in several years time they are part of the cycle makers of new original works are competing with.
> 3. Is it really so important for society that copyrighted movies be based on old stories? […]
No. But it is important for the entertainment industry, for the reason noted above. What is good for society isn't necessarily the same as what people are willing to pay for, and what is good for the producers of works (away from those doing it purely for their own satisfaction or sense of artistic vision) is what people are willing to pay to experience.
--------
[1] Onyx, makers of the Boox line of GPL violating e-ink devices, to name one of them², see comments on https://news.ycombinator.com/item?id=41412582 for more discussion about that.
[2] I pick them out from that small crowd because I might have been interested enough to buy one of their products were it not for this issue. Unfortunately many buyers are unaware of the matter, or are aware but don't care sufficiently for it to change their buying decision.
#1 is known to be problematic in open source, so it would need qualifications. #2 is so broad, it would make practically anything PD. And there's no reason for #3. It might even be implied by #2.
I don't care much about Betty Boop either, and I do care, like you, about The Maltese Falcon - but mostly I think that a version of The Maltese Falcon starring Betty Boop is definitely something I'd like to see!
There’s a tipping point in community size where the dynamic changes from personal relationships and actual discussion to parasocial broadcasting of some kind of consensus opinions.
I'm a foreigner living in the EU for many years, here's my 2 cents.
For over a year, I was locked out of financial services due to my inability to pass KYC. The reason was that I had already left one country, but was still in the process of getting a residency visa in another. During the process, I'm allowed to live in this country, but I have no ability to prove it to any financial institutions.
So, no wonder I'm bitter about KYC and AML.
Regarding privacy, I appreciate the EU's effort, but I also feel they focus too much on the legal side and not enough on the implementation side of it.
My ID was photocopied at almost every accommodation I visited in the last decade. I have no way to make private digital payments, and even offline cash is not being promoted.
At least once, my private financial record was accessed by a 3rd party that used it against me. But I'm not the kind of person who would go into a legal battle. I'm the kind of person who uses technology to protect his privacy. And the EU, with decisions like this, makes it very difficult for me.
I doubt banning Monero or Zcash would prevent criminals from tax evasion. They'll find other ways. So, as often happens, "Locks keep honest people honest".
> I'm allowed to live in this country, but I have no ability to prove it to any financial institutions.
That is very strange, because you should be able to get a temporary residence certificate (whatever it's called in your respective country) and thus get an account with if not all then at least most banks.
As someone who have been living in a couple of countries under a temporal residence I can say it's not that simple. In many cases the temporal residence is simply not accepted, or not in the list of standard docs, etc. Private companies don't really care about all those non standard cases, and they ask either for a passport of the country or a permanent residence at least.
So legally yes, you can pass a KYC, but in practice you're an edge case no one cares about
Not OP but in a similar situation. In online banks there's nowhere to upload these temporary certificates, they accept a limited number of options (passeport, residence card etc) and temporary certificate printed on an A4 paper isn't one of them. You can try sending it via email to customer support, I did it with around 8 different banks and Revolut was the only one to reply and open an account for me after the manual review. Another one was PCS that didn't even ask for residence permit but then it went bust, and it took around 6 months to get the money back.
Funnily enough this is still better compared to classic offline banks: none of them would have me even with the 4-year residence permit I have now. I come from a sanctioned country, I guess it raises some internal risk alarms. Only BNP did accept me at first but then after 3 months they froze my account with my salary on it.
I'm in the same position as the GP. Impossible, because EU bureaucracy sometimes yield kafkaesque deadlocks. For example, some EU countries stated that their permits given to ukrainians are to be considered valid past the printed expiration date and thus stopped producing new plastic for them. Now, good luck finding any KYC provider that will accept that. Or any KYC provider that accepts printed Poland's TPS. Or any provider that doesn't chuckle on a set of documents, each of which is from a different country (like me). Etc, etc.
KYC is way, way more complex than it seems. Essentially, complete remote KYC is simply impossible.
Maybe this is a dumb question, but I am trying to understand this situation. There are still some physical bank branches and I assume at least some banks will open an account for you with that TPS if you visit a branch. Is that not correct? That way you would have access to at least some financial services, if not those where as you write (remote) KYC is needed.
I tried with one physical bank, and they refused; the expat forums said it's the same with all, though I didn't verify myself tbh.
The problem is that the only thing you get is a stamp in your passport saying you applied for a temporary residence permit (including the request number).
The border control people can then (I guess) use this number to verify that your case is still pending, so you're legal in the country. But since no one else can, you get no services.
[Edit: I should add that my main problem was with other financial services, not a bank, since I could use my existing bank accounts from another country. So maybe if I'd make enough effort, I would be able to open a physical bank account, but this was not the main problem for me]
Ah this sucks.
If I understand correctly, in our country the expats get a separate paper confirming they are here legally which for some uses (one of them is opening a bank account) has the same validity as an ID card.
You get a stamp in the passport that you're waiting for a decision regarding your stay, but it's meaningless to anyone besides the border control people.
I assume there will never be any implementation side to focus on, if there's no legal side to push for it. Because as we can clearly see around us, the tech boys don't give a zit on your accesses and privacy and rights, so they have to be pushed to care.
>I doubt banning Monero or Zcash would prevent criminals from tax evasion. They'll find other ways. So, as often happens, "Locks keep honest people honest".
You realize that "locks keep honest people honest" is a reason to have locks, right? The point is that honest people will commit tax fraud if we make it easy for them to do.
The thing is you kind of need KYC because otherwise it becomes too easy to launder money. Most countries have previously had problems with organized crime. In the US, the mafia had immense control in some cities in the early to mid 1900s. They're gone, in part, because of processes like KYC.
Many countries still have problems with organized crime, and it's getting worse even though they have aggressive KYC and AML. Israel is one example I'm familiar with. So it's a bit more complicated than that.
I understand the goal of KYC/AML, and maybe in some places it's implemented correctly. But from my limited experience in the EU, it can be easy for criminals to avoid it, but it makes my life difficult for no good reason (both for privacy violation and for times when it is simply fails).
The entire point of the expression is that many people will do things they shouldn't do if they are given an easy opportunity. The idea is that shame is ultimately what keeps most people in line. The vast majority of people won't commit armed robbery, but a few more will pickpocket, and more still will take the cash out of a wallet they've found before turning it in.
The point of creating friction is that it's the friction that keeps most people in line. A bike lock isn't going to protect your bike from being stolen by someone who is okay with being a bike thief, but if you leave your bike out without a lock, you've just opened yourself up to having it stolen by a much, much larger portion of the population who don't see themselves as "thieves" as they commit theft.
You can just look at what's happened on SF transit. SF has (intentionally) created a system where you technically don't have to scan your card to get on the bus if you have a monthly pass or use the iphone version of payment... the result is a shitload of people who would otherwise pay for the bus if you had to scan your card, and everyone knew you were cheating the system if you don't, they just don't pay now. If you make it easy for people to be bad actors, more people will be bad actors.
I would say yes for myself but as software developer I am baffled by business people to whom I have to basically explain this.
Some things are complex and will take months or years to complete - but if it doesn’t fit in a quarter where they can put it as a win on their list they feel offended.
I don't think so. He is rather talking about the properties of emergence in complex systems, and claims that the predictive theories we rely on to navigate the world will not hold in a dynamic system this interconnected ('no effective dynamics'), so we ought to be regularly retesting our assumptions.
Isn't every community is like that after so long? Like, I don't like the way that Matt behaved recently, but regarding most of the complains in the post -- these exist in any community or organization which is big enough and has been around for long enough.
They did, which is why it seems like a relevant example to your question. They shipped centralized, and have already replaced the centralized service they shipped with a decentralized service.
> They can monetise content that didn't originate on their platform.
They have been doing it for years.
> It shifts regulators attention from them to closed platforms like X.
It doesn't. Threads is just as closed (despite integrating an open protocol), and is still subject to the same scrutiny and provisions as the rest of Meta's products.
> They can leverage their advantages e.g. ad serving, safety to push competitors into niches.
So, let me get it straight. Facebook gained so much from adopting a decentralized protocol so they will inevitably move in the same direction that:
- they will use it to remain the only centralized service?
- they will use it to do the same thing they do before (serve ads, collect user data etc.) but somehow will be absolved of regulations and scrutiny?
Facebook messenger is not completely decentralized, but it is E2E encrypted now after years of struggle with governments and UX. It's definitely possible to move centralized systems to be more decentralized.
It's an example of somebody replacing a centralized protocol with a more decentralized one. It's also one of the biggest direct messaging platforms in the world with E2E encryption.
That depends on your definition of decentralization. Because of the way most people set up their apps, almost all Matrix users and ~all Signal users are using a centralized app under this definition.
> That depends on your definition of decentralization.
Decentralization literally means "not centralized". If you have a single centralized entity serving all your messages through a set of centralized servers, it makes the setup what?
> Because of the way most people set up their apps, almost all Matrix users and ~all Signal users are using a centralized app under this definition.
Yes, they do, and it's centralized. What exactly makes you think otherwise?
Like, I get that it's new and has better features (better compression, faster decoding, etc.) --- but what are the new ideas or insights that led to this design?
reply